MITIGATE

Description

Until recently, regulations on cyber security for ports and the maritime supply chain did not exist. However, cyber criminals have not only succeeded in shutting down or infecting software and hardware infrastructures, but also in diverting or mis-leading cargoes, ships and terminal equipment. The MITIGATE project has resulted in a risk management system specifically designed for the special needs of users of information infrastructures in the maritime supply chain.

Experts expect that the increasing networking of digital assets and Maritime 4.0 solutions will enable easier and more effective cyber attacks. A global study of risk experts ranked cyber incidents as the third highest business risk worldwide for all industries and expects it to be the highest business risk in the future. This is why maritime organisations, classiication societies and international administrations are setting standards to prevent the emergence and spread of cyber incidents. The risk assessment module of the MITIGATE system takes all these requirements into account.

MITIGATE System

MITIGATE offers a dynamic risk management system for all actors of the maritime supply chain to protect it from cyber-criminal activities.

The first ENISA (European Union Agency for Network and Information Security) report on cyber maritime security (2011) concludes that awareness on cyber security needs in the maritime sector is currently low to non-existent and highlights the challenges of managing the inter-dependencies between information and communication technology (ICT) systems and other port assets.

As a result, most of the actors involved in the maritime supply chain use varied and non-standard practices to guarantee the credibility and the effectiveness of the full system development life cycle including design/development, acquisition of custom or commercial off-the-shelf products, delivery, integration, operations, and disposal/retirement.

The existing risk management approaches are not appropriate for dealing with the distributed and interconnected nature of the dynamic information and communication technology based maritime supply chains. A first non-representative inquiry within the MITIGATE project revealed that almost two out of three of the interviewed persons have not yet undertaken risk assessments of their own IT-Infrastructure.

They stated that the most important IT-Cyber Assets are the internal computer networks (among 50 to 60%), databases and operative applications (in each case 65 to 75%). To close this gap, MITIGATE aims to develop an effective, collaborative, standards-based Risk Management system for port’s Critical Information Infrastructures (CIIs). The system will consider all threats arising from the global supply chain, including threats associated with port CIIs interdependencies and associated cascading effects.

Project Aims

Integration of a novel risk management system

Despite the importance of CIIs and dynamic information and communication technology (ICT)-based maritime supply chains (SCs) for port operations, state-of-the-art RM methodologies for maritime environments pay limited attention to cyber-security and do not adequately address security processes for international SCs.

Motivated by these limitations, MITIGATE will introduce, integrate, validate and commercialize a novel RM system, which will empower stakeholders’ collaboration for the identification, assessment and mitigation of risks associated with cybersecurity assets and SC processes. This collaborative system will boost transparency in risk handling, while enabling the generation of unique evidence about risk assessment and mitigation. At the heart of the RM system will be an open simulation environment enabling stakeholders to simulate risks and evaluate risk mitigation actions. This environment will allow users to model, design, execute and analyse attack-oriented simulations.

"MITIGATE could help us to do our IT inventory and to give us an overview over our IT relationships. It could point out possible risky “attack paths” and by comparing simulations we could look for suitable solutions to mitigate risks in most economical or most effective"Dieter Hentschel, security officer at the harbourmaster's office in the ports of Bremerhaven/ Bremen, Germany.

Key findings

The project partners have created a software environment in which companies in the maritime supply chain can carry out a self-test of the hardware and software assets they use. This soultion provides all companites and organisations in the maritime supply chain an easy-to-use, and, at the same time, effective risk management system that enables them to achieve timely detection of cyber threats.

MITIGATE introduced, integrated and validated a novel dynamic risk management framework, which significantly enhanced state-of-the-art approaches (at national and international level) in the direction of addressing maritime supply chain security processes and their cascading effects.

Build on a collaborative evidence based approach

MITIGATE was built on a collaborative evidence based approach, which facilitated the production of simulated scenarios and security assurance models. The latter enabled the credible estimation of risk factors and their inherent risk, as well as threats, vulnerability and controlled risks, thereby enabling the calculation of residual risk. The later reflected the risk factors following the applications of contingency measures indicated as part of conventional sector specific and national approaches.

Implementation and validation

MITIGATE was implemented and validated in the scope of port security and associated maritime contexts. The validation has had a transnational character and directly involved five prominent EU ports, thereby boosting the harmonisation of national approaches to the security of maritime supply chains. The project also produced a range of best practices and guidelines for the adaptation of the approach in other contexts and critical infrastructures.

Inclusion of governance toolkit

MITIGATE includes a governance toolkit, which deals with the adaptation of the project’s system across different ports and maritime settings. As part of this toolkit, the project considers the implication of legislation in the modelling, assessment and evaluation of risks. Note also that MITIGATE will empower collaborative, evidence-based and iterative risk assessment processes, during which stakeholders will be able to identify gaps and challenges associated with the applicable legal frameworks.

The identification of these gaps could later lead to suggested changes in the legal framework, which is also reflected in the best practices and guidelines to be produced in the project and contributed to the NIS public-private platform. Note that the MITIGATE pilots across five EU ports has facilitated the identification of legal gaps for security in maritime supply chains, as well as their remedy.

MITIGATE at national and European events

The MITIGATE tool was presented at international fairs, scientific conferences, workshops and numerous other technical and business meetings. These incuded the transport logisit 2017 in Munch, the ARES-Conference 2017 in Reggio Calabria and at the Secuirty and Safety at the EU ports 2018 Conferenc ein Piraeus.